Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
03-05-2024 12:25
Static task
static1
Behavioral task
behavioral1
Sample
10835bbaba51e62af438366f2128e5f5_JaffaCakes118.rtf
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
10835bbaba51e62af438366f2128e5f5_JaffaCakes118.rtf
Resource
win10v2004-20240419-en
General
-
Target
10835bbaba51e62af438366f2128e5f5_JaffaCakes118.rtf
-
Size
1.3MB
-
MD5
10835bbaba51e62af438366f2128e5f5
-
SHA1
0763eb8bfb1439878c4c02ce4e950c07275ebf02
-
SHA256
4195ef696648e960bcd28f15347ed3c6454b8dec1bbe5adc54c9a341c1070e89
-
SHA512
d37cd3e3f80ca2525aadf73b964331109ae7b9aca4997b946fa83aaff8a1a9622ea8d59644f81ef36ae59ef848d9dfc327ffcfea15c3d97edfa3985d34487aa3
-
SSDEEP
24576:ndHDcq47d/mF6dxhXwsnfPf+5+XP0WF0ncXr4r/UjZLjkr12JzQf/jpYzQcwwKs4:9
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
pid Process 1972 intel.scr 1132 intel.scr 2328 intel.scr 856 exe.exe 2368 exe.exe 3056 exe.exe 2956 exe.exe -
Loads dropped DLL 11 IoCs
pid Process 2392 WINWORD.EXE 2392 WINWORD.EXE 2392 WINWORD.EXE 2392 WINWORD.EXE 2392 WINWORD.EXE 2392 WINWORD.EXE 2120 CmD.exe 2820 cmd.exe 856 exe.exe 2368 exe.exe 3056 exe.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Hosts = "C:\\Users\\Admin\\AppData\\Roaming\\System332\\whosts.exe" exe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Hosts = "\\System332\\whosts.exe" exe.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 856 set thread context of 2368 856 exe.exe 64 PID 3056 set thread context of 2956 3056 exe.exe 76 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Kills process with taskkill 1 IoCs
pid Process 2184 taskkill.exe -
Launches Equation Editor 1 TTPs 2 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2288 EQNEDT32.EXE 2852 EQNEDT32.EXE -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2660 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2392 WINWORD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2956 exe.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2184 taskkill.exe Token: SeDebugPrivilege 2368 exe.exe Token: SeDebugPrivilege 2956 exe.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2392 WINWORD.EXE 2392 WINWORD.EXE 2956 exe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2392 wrote to memory of 1972 2392 WINWORD.EXE 28 PID 2392 wrote to memory of 1972 2392 WINWORD.EXE 28 PID 2392 wrote to memory of 1972 2392 WINWORD.EXE 28 PID 2392 wrote to memory of 1972 2392 WINWORD.EXE 28 PID 2392 wrote to memory of 1132 2392 WINWORD.EXE 29 PID 2392 wrote to memory of 1132 2392 WINWORD.EXE 29 PID 2392 wrote to memory of 1132 2392 WINWORD.EXE 29 PID 2392 wrote to memory of 1132 2392 WINWORD.EXE 29 PID 1132 wrote to memory of 2788 1132 intel.scr 31 PID 1132 wrote to memory of 2788 1132 intel.scr 31 PID 1132 wrote to memory of 2788 1132 intel.scr 31 PID 1132 wrote to memory of 2788 1132 intel.scr 31 PID 1972 wrote to memory of 1464 1972 intel.scr 30 PID 1972 wrote to memory of 1464 1972 intel.scr 30 PID 1972 wrote to memory of 1464 1972 intel.scr 30 PID 1972 wrote to memory of 1464 1972 intel.scr 30 PID 2788 wrote to memory of 1636 2788 WScript.exe 33 PID 2788 wrote to memory of 1636 2788 WScript.exe 33 PID 2788 wrote to memory of 1636 2788 WScript.exe 33 PID 2788 wrote to memory of 1636 2788 WScript.exe 33 PID 1464 wrote to memory of 2820 1464 WScript.exe 34 PID 1464 wrote to memory of 2820 1464 WScript.exe 34 PID 1464 wrote to memory of 2820 1464 WScript.exe 34 PID 1464 wrote to memory of 2820 1464 WScript.exe 34 PID 2852 wrote to memory of 2120 2852 EQNEDT32.EXE 37 PID 2852 wrote to memory of 2120 2852 EQNEDT32.EXE 37 PID 2852 wrote to memory of 2120 2852 EQNEDT32.EXE 37 PID 2852 wrote to memory of 2120 2852 EQNEDT32.EXE 37 PID 2120 wrote to memory of 2328 2120 CmD.exe 40 PID 2120 wrote to memory of 2328 2120 CmD.exe 40 PID 2120 wrote to memory of 2328 2120 CmD.exe 40 PID 2120 wrote to memory of 2328 2120 CmD.exe 40 PID 2820 wrote to memory of 856 2820 cmd.exe 41 PID 2820 wrote to memory of 856 2820 cmd.exe 41 PID 2820 wrote to memory of 856 2820 cmd.exe 41 PID 2820 wrote to memory of 856 2820 cmd.exe 41 PID 2820 wrote to memory of 2184 2820 cmd.exe 42 PID 2820 wrote to memory of 2184 2820 cmd.exe 42 PID 2820 wrote to memory of 2184 2820 cmd.exe 42 PID 2820 wrote to memory of 2184 2820 cmd.exe 42 PID 2328 wrote to memory of 668 2328 intel.scr 43 PID 2328 wrote to memory of 668 2328 intel.scr 43 PID 2328 wrote to memory of 668 2328 intel.scr 43 PID 2328 wrote to memory of 668 2328 intel.scr 43 PID 668 wrote to memory of 1812 668 WScript.exe 44 PID 668 wrote to memory of 1812 668 WScript.exe 44 PID 668 wrote to memory of 1812 668 WScript.exe 44 PID 668 wrote to memory of 1812 668 WScript.exe 44 PID 2820 wrote to memory of 1880 2820 cmd.exe 47 PID 2820 wrote to memory of 1880 2820 cmd.exe 47 PID 2820 wrote to memory of 1880 2820 cmd.exe 47 PID 2820 wrote to memory of 1880 2820 cmd.exe 47 PID 2820 wrote to memory of 1352 2820 cmd.exe 48 PID 2820 wrote to memory of 1352 2820 cmd.exe 48 PID 2820 wrote to memory of 1352 2820 cmd.exe 48 PID 2820 wrote to memory of 1352 2820 cmd.exe 48 PID 2820 wrote to memory of 1616 2820 cmd.exe 49 PID 2820 wrote to memory of 1616 2820 cmd.exe 49 PID 2820 wrote to memory of 1616 2820 cmd.exe 49 PID 2820 wrote to memory of 1616 2820 cmd.exe 49 PID 2820 wrote to memory of 616 2820 cmd.exe 50 PID 2820 wrote to memory of 616 2820 cmd.exe 50 PID 2820 wrote to memory of 616 2820 cmd.exe 50 PID 2820 wrote to memory of 616 2820 cmd.exe 50
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\10835bbaba51e62af438366f2128e5f5_JaffaCakes118.rtf"1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\intel.scr"C:\Users\Admin\AppData\Local\Temp\intel.scr" /S2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\task.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\task.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\exe.exeexe.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:856 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\exe.exeexe.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\exe\exe.exe"C:\Users\Admin\AppData\Local\Temp\exe\exe.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\exe\exe.exe"C:\Users\Admin\AppData\Local\Temp\exe\exe.exe"8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2956
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\exe.exe"7⤵PID:2800
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10008⤵
- Runs ping.exe
PID:2660
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f5⤵PID:1880
-
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f5⤵PID:1352
-
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f5⤵PID:1616
-
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f5⤵PID:616
-
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f5⤵PID:1912
-
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f5⤵PID:2212
-
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f5⤵PID:1856
-
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f5⤵PID:2384
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"5⤵PID:1864
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"6⤵PID:2216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"5⤵PID:1064
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"6⤵PID:908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"5⤵PID:276
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"6⤵PID:2312
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"5⤵PID:2332
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"6⤵PID:2976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"5⤵PID:1232
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"6⤵PID:2044
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"5⤵PID:2380
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"6⤵PID:768
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"5⤵PID:1088
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"6⤵PID:1604
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"5⤵PID:1720
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"6⤵PID:1916
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\intel.scr"C:\Users\Admin\AppData\Local\Temp\intel.scr" /S2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\task.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\task.bat" "4⤵PID:1636
-
-
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\CmD.exeCmD /C %tmp%\intel.scr & UUUUUUUUc2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\intel.scrC:\Users\Admin\AppData\Local\Temp\intel.scr3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX2\task.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX2\task.bat" "5⤵PID:1812
-
-
-
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
PID:2288
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108B
MD500f4d3f775c6ac6f1746153371614806
SHA1adb7b3a57c38e27dce59dd700373798eca0cfb6b
SHA25672175df25e14f2daa73d33844d211ef3d6ee253c5475de893bdc16d7210a6865
SHA5120f5752953faaa833bce11215112880d59c48f8ab3c7de2c9e7c46b4975f74b5f29ed8c63e6c5d94807d6cc8dbfa11b5038b166e577874af84497243e762e3f51
-
Filesize
2KB
MD59349b55fa165d64cbb4913fe3d2e86bd
SHA10a4f64064e19c46b18261fbec5879548bda10977
SHA256c821c21c4b495d1017bcddee20bf6b0b9ad9b5b1d0068b1c1e888a4d0f1ad2bd
SHA5124dc25ee0f6158e0e2340c2eb85330ae2bb4bea95c0f45a49a00ef7ee69a01fa1d9c10de999d5740e03f394db02dd00670e946d63e34977e6bef531f51d9809d5
-
Filesize
32KB
MD598c7b258be8ff2d03181f28b32de76d1
SHA16e3e523e4600c572983b164fa9d539ca0dff2f93
SHA256e4f7827d6b6e271d0f876ee69833e4cdb26ce87f11238225d6a5740f140961fa
SHA512a4e6393d795d1da56276251f25cb49b68cee5651d486e9b536f8843af3952fa34445277c5648ac9f180caf5c7052fc03b371a304d9b79317bc060b565dc480e9
-
Filesize
567B
MD53e080b9dc1195efed3b2a5d8bd27adf1
SHA117b7ddaf62d0d149a158c58274fe155559e0bd2a
SHA2560ffa8cb2784d7ce3342c94f102d746740f4059a931d8c0ba2c35724aa3c2ebdc
SHA512816937931b2ff006103cb5059bb000870421145dfa94b09885b93857f62edd62db4babb1ef4b3ce42992c45771eb97de31ec2d040e66ce9ebf78a027be586e2c
-
Filesize
51B
MD5cda75ec241c0c317b0019512d109af2d
SHA10907aab88e05807c1eff7d477ce17fcd4176dd3b
SHA256a26850091b69aed12f3889f907e1ae262816b58cf90b6c81f101f2a57a4df5f7
SHA5124a2694bd6bff671b5e2b131f60b752c95e1c578ec4c22ace6ef8dbc5543851fcf7cccd683a02912d6bc0c0cca09659d26983def4df168e1ba0a0871c3a624841
-
Filesize
438KB
MD5c3873540a8a330e894523f1f99e9ab83
SHA1e62576ce0a83fa0d55352769b45ac7c24d6b05c0
SHA2560eaa4cbaeccf82a448964d79b9934773896c4c824b4f6fbf127f07c3adc67e54
SHA5122dc32fd0ce39f98722532dc509b13070325d831f3e63e605dc41ac8fa9e50c483a33b0599b15116097ab8be70b2656a9ebadcfec5ea39c98ca2654c70fc402f7
-
Filesize
622KB
MD5a054fa130c7f61330bc433aec47cd74d
SHA147e2a6fd78f9ba64c961833ef69494dd6f5aa127
SHA256cfa35d9d629183aa990bde0d911c0d1abecad540d25e35a7e0e0d8ec9ef14ecd
SHA512b2ec89b7dde509d2e52e9ef38708948178c40801965c63ae3849bb27a122617faa6766dfe0babf0d1aab66b0c5654a3f5f9e67bc202573c116bfbea12371ce1c